A high-severity deserialization vulnerability in the enituretechnology LTL Freight Quotes plugin allows an attacker to perform object injection, potentially leading to remote code execution.

The software is vulnerable to Deserialization of Untrusted Data. An attacker can supply a maliciously crafted serialized object that, when processed by the application, can trigger arbitrary code execution, data manipulation, or denial of service. This type of flaw is often exploitable by an unauthenticated remote attacker.

Exploitation could result in a full compromise of the web server hosting the application. This places sensitive customer data, payment information, and server integrity at high risk. An attacker could steal data, deface the website, or use the server to attack other systems. The CVSS score of 7.2 (High) reflects the potential for significant impact on confidentiality, integrity, and availability.

Immediate Action: Update the affected LTL Freight Quotes plugin to the latest patched version provided by enituretechnology immediately.

Proactive Monitoring: Review web server access logs for unusual POST requests containing long, encoded strings, which may indicate deserialization attack attempts. Monitor for unexpected file creation or process execution on the server.

Compensating Controls: A properly configured Web Application Firewall (WAF) with rules to detect and block common object injection payloads can provide a layer of defense until the patch can be applied.

Public Exploit Available: false

The risk of remote code execution makes this a critical vulnerability to address. All instances of the LTL Freight Quotes plugin must be updated to a secure version without delay. Failure to do so exposes the underlying server and its data to a high risk of complete compromise.